cbcvebase.
CVE-2026-46448
published 2026-06-16

CVE-2026-46448: In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.

PriorityP349high8.5CVSS 3.1
AVNACLPRLUINSCCNILAH
EPSS
0.27%
18.9th percentile
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.

Affected

6 ranges
VendorProductVersion rangeFixed in
openstacknova>= 18.0.0 < 31.3.131.3.1
openstacknova18.0.0 – 31.3.0
openstacknova>= 32.0.0 < 32.2.132.2.1
openstacknova>= 32.0.0 < 32.2.132.2.1
openstacknova>= 33.0.0 < 33.0.233.0.2
openstacknova33.0.0 – 33.0.1

CVSS provenance

nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
ghsa5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.